Testimony: There’s No Internet of Things Risk in Repair

A proposed right to repair law in New Hampshire won’t make the Internet of Things one iota less secure. It will benefit consumers and the planet by extending the useful life of a wide range of connected devices, while making it easier to keep them secure throughout their useful life.

Editor’s Note: the following is testimony I prepared for a February 5, 2019 hearing of the New Hampshire House Committee on Commerce and Consumer Affairs regarding House Bill #462 governing digital electronic repair. I spoke in favor of the legislation, which would enshrine a “right to repair” digital and electronic devices in New Hampshire law.

Ladies and gentlemen of the Committee on Commerce and Consumer Affairs: I want to thank you for allowing me the time to speak. My name is Paul Roberts and I am the publisher and Editor in Chief of The Security Ledger (securityledger.com), an independent security news website that explores the intersection of cyber security with the Internet of Things.

Paul Roberts is the Publisher and Editor in Chief of The Security Ledger

One of the issues that is frequently raised in connection with right to repair legislation is cyber security. Specifically, proposed legislation like HB 462 leads to questions about whether right to repair legislation will increase the risk of hacking. With your permission, I’m here to talk to you about that and to assure you, unequivocally, that repair is not hacking and that the very real cyber risks that exist in connected devices are totally unrelated to the provisions of HB 462, the right to repair bill.

A couple words about me…

For the last 16 years, I have been covering
the information technology security space as a reporter, editor and industry
analyst. I have appeared as an expert guest discussing cyber security related
news on NPR’s Marketplace Tech Report, KPCC’s AirTalk, Al Jazeera Television
and The Oprah Show.

Since launching The Security Ledger in 2012, I have published close to 1,600 articles on issues related to cyber security, many of them touching on the security challenges of the Internet of Things. Writing for publications such as The Christian Science Monitor, I have explored incidents like the 2016 denial of service attack on DYN, a Manchester New Hampshire based provider of Domain Name System services that was knocked offline by a denial of service attack launched by a botnet, “Mirai,” made up of hundreds of thousands of hacked webcams and digital video recorders. As the Mirai botnet attack on DYN showed: many connected devices like cameras, digital video recorders, home routers and even smart home devices are sold with software that contains dire, exploitable software holes.

Repair is not hacking

For our purposes today, it is important for all of you to consider that the hundreds of thousands of connected cameras, home routers and digital video recorders that attacked DYN were not hacked because hackers took advantage of detailed repair schematics or read their way through service manuals. They were not hacked because cyber criminals gamed diagnostic codes and tools intended for use by owners or independent repair professionals. The malicious actors behind the Mirai botnet had little trouble hacking these devices by exploiting holes left by the manufacturer or insecure features that should have been identified and fixed prior to the device’s release. A New Hampshire firm paid the price, as did its customers: some of the biggest technology firms in the world.

Why is the software in connected to these
devices so often troubled by security holes? Because, what drives almost every
device maker’s development process is not security but speed: time to market in
a competitive consumer electronics market. That compels many manufacturers of
electronics to take shortcuts on security or to ignore it entirely.

A repair coach works on an electric toothbrush at a repair clinic in Boston. (Photo by Paul Roberts)

Home electronics, smart home devices,
appliances, even machinery ship with easily exploitable software
vulnerabilities. Or they are insecure by default: shipped and installed with
the digital equivalent of unlocked or unlockable doors that malicious actors
can step through. Just one example: home broadband routers that bring Internet
connectivity to your homes and offices might ship with the same default
administrator account and password. Further, that password may be trivial, or
entirely absent.

Finally, many of these devices are deployed in
an insecure state. Un-needed communications ports on these devices are open and
“listening” for anyone on the Internet who wishes to connect. Communications to
and from these devices are sent “in the clear” allowing would be hackers to
snoop on it and steal sensitive information like passwords and account
credentials. Very often, their software is out of date and lacks features to
automatically update or notify owners when updates are available.

Follow the money

These problems are well known within the
information security community that I am a part of. Sadly, rather than spending
their money to address software insecurity in their product portfolios and
industries, device makers – working through industry groups and lobbying firms
– are spending their money in these halls trying sink right to repair
legislation like HB 462 that is wholly unrelated to these core security
challenges.

Why, you might ask? Because even though right to repair has no bearing on the security of their products, it does risk snuffing out a lucrative revenue stream in after market parts and repairs. Anyone here who has ever taken a Macbook or iPhone to the Genius Bar to repair has first hand experience of what even a near monopoly on aftermarket parts and repair looks like. Namely: platinum offerings by a limited number of “authorized dealers” with astronomically marked up part and service costs. Again: do not be fooled.

Stand with consumers

As lawmakers you all are in a difficult
position. Few, if any of you, are technologists or software engineers. As a
rule, you do not have domain expertise in specialized area like software
application design, embedded device engineering or cyber security. Still, it is
you who ultimately must decide whether or not to enshrine the right to repair
in New Hampshire law.

HB 462, the right to repair bill, will enshrine the rights of owners and independent repair professionals in state law: extending the useful life of a wide range of electronic devices by removing burdensome manufacturer-designed locks and restrictions.

What HB 462 will not do is make smartphones, smart home devices, snow blowers, lawn mowers, webcams or other personal or business electronics one iota less secure. It will not make those devices more prone to hacking and online predation. Just the opposite: by providing owners with the tools and information they need to manage smart, Internet connected devices throughout their life, it will make those devices more adaptable to changing risks and better able to resist cyber attacks today and in the distant future. I urge you to support it.

Author: PaulI'm an experienced writer, reporter and industry analyst with a decade of experience covering IT security, cyber security and hacking, and a fascination with the fast-emerging "Internet of Things."